LUOV Ward Beullens, Bart Preneel, Alan Szepieniec, Frederik Vercauteren 1 / 10
Overview Introduction 1 2 Modifications Some numbers 3 Conclusion 4 2 / 10
Goal of LUOV is to reduce the key sizes. (while preserving the good properties of UOV) • Generate SK from seed • Generate most of PK from seed [Petzoldt] • Field lifting What is LUOV? (baby don’t hurt me) Unbalanced Oil and Vinegar (UOV) [Patarin 1997] • Quadratic trapdoor function: P : F n q → F m q with n > m . • Trapdoor is a factorization of P = F ◦ T , where T is linear and F linear in the last m variables (oil variables). • Well understood signature scheme, fast, small signatures, but large keys. Used as building block for other MQ schemes (e.g. Rainbow). 3 / 10
• Generate SK from seed • Generate most of PK from seed [Petzoldt] • Field lifting What is LUOV? (baby don’t hurt me) Unbalanced Oil and Vinegar (UOV) [Patarin 1997] • Quadratic trapdoor function: P : F n q → F m q with n > m . • Trapdoor is a factorization of P = F ◦ T , where T is linear and F linear in the last m variables (oil variables). • Well understood signature scheme, fast, small signatures, but large keys. Used as building block for other MQ schemes (e.g. Rainbow). Goal of LUOV is to reduce the key sizes. (while preserving the good properties of UOV) 3 / 10
What is LUOV? (baby don’t hurt me) Unbalanced Oil and Vinegar (UOV) [Patarin 1997] • Quadratic trapdoor function: P : F n q → F m q with n > m . • Trapdoor is a factorization of P = F ◦ T , where T is linear and F linear in the last m variables (oil variables). • Well understood signature scheme, fast, small signatures, but large keys. Used as building block for other MQ schemes (e.g. Rainbow). Goal of LUOV is to reduce the key sizes. (while preserving the good properties of UOV) • Generate SK from seed • Generate most of PK from seed [Petzoldt] • Field lifting 3 / 10
Field Lifting Assumption: Solving a random system P ( x ) = y over F 2 r is as hard as solving a random system P ( x ) = y , where P is defined over F 2 , when r is prime. Field lifting Given a UOV key pair ( P , T ) over F 2 , we can use it as a key pair over F 2 r . 2 1 + α 2 + + α 30 1 + x 1 x 2 + x 3 + x 1 x 4 + x 4 x 5 + x 5 = · · · x 2 2 + α 31 x 2 x 3 + x 3 + x 2 x 6 + x 3 x 4 + x 3 x 5 + x = 1 + α + · · · 6 α + α 5 + + α 31 x 1 x 2 + x 2 x 3 + x 3 x 4 + x 2 + x 5 x 6 = · · · | {z } | {z } H ( M ) P ( x ) 4 / 10
when r is prime. Field lifting Given a UOV key pair ( P , T ) over F 2 , we can use it as a key pair over F 2 r . 2 1 + α 2 + + α 30 1 + x 1 x 2 + x 3 + x 1 x 4 + x 4 x 5 + x 5 = · · · x 2 2 + α 31 x 2 x 3 + x 3 + x 2 x 6 + x 3 x 4 + x 3 x 5 + x = 1 + α + · · · 6 α + α 5 + + α 31 x 1 x 2 + x 2 x 3 + x 3 x 4 + x 2 + x 5 x 6 = · · · | {z } | {z } H ( M ) P ( x ) Field Lifting Assumption: Solving a random system P ( x ) = y over F 2 r is as hard as solving a random system P ( x ) = y , where P is defined over F 2 , 4 / 10
Field lifting Given a UOV key pair ( P , T ) over F 2 , we can use it as a key pair over F 2 r . 2 1 + α 2 + + α 30 1 + x 1 x 2 + x 3 + x 1 x 4 + x 4 x 5 + x 5 = · · · x 2 2 + α 31 x 2 x 3 + x 3 + x 2 x 6 + x 3 x 4 + x 3 x 5 + x = 1 + α + · · · 6 α + α 5 + + α 31 x 1 x 2 + x 2 x 3 + x 3 x 4 + x 2 + x 5 x 6 = · · · | {z } | {z } H ( M ) P ( x ) Field Lifting Assumption: Solving a random system P ( x ) = y over F 2 r is as hard as solving a random system P ( x ) = y , where P is defined over F 2 , when r is prime. 4 / 10
Subfield differential attack (Ding et al. 2019): Pick random x 0 and solve P ( x 0 + x 0 ) = y for x 0 in a subfield. Claimed complexity of the attack: Parameters Security lvl Subfield Complexity 2 107 LUOV-8-58-237 2 F 2 2 ⊂ F 2 8 2 135 LUOV-48-43-222 2 F 2 8 ⊂ F 2 48 Solution: Choose F 2 r , with r prime, such that there are no subfields to exploit. ⇒ No performance penalty . We study some generalization of the attack in revised LUOV submission document. Attacks • Key recovery attacks Studied since 1997 • Forgery attacks: Solve P ( x ) = y for x . 5 / 10
Claimed complexity of the attack: Parameters Security lvl Subfield Complexity 2 107 LUOV-8-58-237 2 F 2 2 ⊂ F 2 8 2 135 LUOV-48-43-222 2 F 2 8 ⊂ F 2 48 Solution: Choose F 2 r , with r prime, such that there are no subfields to exploit. ⇒ No performance penalty . We study some generalization of the attack in revised LUOV submission document. Attacks • Key recovery attacks Studied since 1997 • Forgery attacks: Solve P ( x ) = y for x . Subfield differential attack (Ding et al. 2019): Pick random x 0 and solve P ( x 0 + x 0 ) y for x 0 in a subfield. = 5 / 10
Solution: Choose F 2 r , with r prime, such that there are no subfields to exploit. ⇒ No performance penalty . We study some generalization of the attack in revised LUOV submission document. Attacks • Key recovery attacks Studied since 1997 • Forgery attacks: Solve P ( x ) = y for x . Subfield differential attack (Ding et al. 2019): Pick random x 0 and solve P ( x 0 + x 0 ) y for x 0 in a subfield. = Claimed complexity of the attack: Parameters Security lvl Subfield Complexity 2 107 LUOV-8-58-237 2 F 2 2 ⊂ F 2 8 2 135 LUOV-48-43-222 2 F 2 8 ⊂ F 2 48 5 / 10
We study some generalization of the attack in revised LUOV submission document. Attacks • Key recovery attacks Studied since 1997 • Forgery attacks: Solve P ( x ) = y for x . Subfield differential attack (Ding et al. 2019): Pick random x 0 and solve P ( x 0 + x 0 ) y for x 0 in a subfield. = Claimed complexity of the attack: Parameters Security lvl Subfield Complexity 2 107 LUOV-8-58-237 2 F 2 2 ⊂ F 2 8 2 135 LUOV-48-43-222 2 F 2 8 ⊂ F 2 48 Solution: Choose F 2 r , with r prime, such that there are no subfields to exploit. ⇒ No performance penalty . 5 / 10
Attacks • Key recovery attacks Studied since 1997 • Forgery attacks: Solve P ( x ) = y for x . Subfield differential attack (Ding et al. 2019): Pick random x 0 and solve P ( x 0 + x 0 ) y for x 0 in a subfield. = Claimed complexity of the attack: Parameters Security lvl Subfield Complexity 2 107 LUOV-8-58-237 2 F 2 2 ⊂ F 2 8 2 135 LUOV-48-43-222 2 F 2 8 ⊂ F 2 48 Solution: Choose F 2 r , with r prime, such that there are no subfields to exploit. ⇒ No performance penalty . We study some generalization of the attack in revised LUOV submission document. 5 / 10
• Add salt to message before signing ⇒ Improved security against fault injection attacks and side-channel attacks. • Break up PRNG calls into multiple smaller calls. ⇒ Speed up by parallelization, lower memory usage. • Constant time AVX2 optimized implementation. • Add option to use Chacha8 instead of SHAKE to expand public randomness. ⇒ × 2 . 5 and × 5 . 2 faster signing and verification respectively (SL1). Round 2 improvements • Take smaller parameters ⇒ more efficient 6 / 10
• Break up PRNG calls into multiple smaller calls. ⇒ Speed up by parallelization, lower memory usage. • Constant time AVX2 optimized implementation. • Add option to use Chacha8 instead of SHAKE to expand public randomness. ⇒ × 2 . 5 and × 5 . 2 faster signing and verification respectively (SL1). Round 2 improvements • Take smaller parameters ⇒ more efficient • Add salt to message before signing ⇒ Improved security against fault injection attacks and side-channel attacks. 6 / 10
• Constant time AVX2 optimized implementation. • Add option to use Chacha8 instead of SHAKE to expand public randomness. ⇒ × 2 . 5 and × 5 . 2 faster signing and verification respectively (SL1). Round 2 improvements • Take smaller parameters ⇒ more efficient • Add salt to message before signing ⇒ Improved security against fault injection attacks and side-channel attacks. • Break up PRNG calls into multiple smaller calls. ⇒ Speed up by parallelization, lower memory usage. 6 / 10
• Add option to use Chacha8 instead of SHAKE to expand public randomness. ⇒ × 2 . 5 and × 5 . 2 faster signing and verification respectively (SL1). Round 2 improvements • Take smaller parameters ⇒ more efficient • Add salt to message before signing ⇒ Improved security against fault injection attacks and side-channel attacks. • Break up PRNG calls into multiple smaller calls. ⇒ Speed up by parallelization, lower memory usage. • Constant time AVX2 optimized implementation. 6 / 10
Round 2 improvements • Take smaller parameters ⇒ more efficient • Add salt to message before signing ⇒ Improved security against fault injection attacks and side-channel attacks. • Break up PRNG calls into multiple smaller calls. ⇒ Speed up by parallelization, lower memory usage. • Constant time AVX2 optimized implementation. • Add option to use Chacha8 instead of SHAKE to expand public randomness. ⇒ × 2 . 5 and × 5 . 2 faster signing and verification respectively (SL1). 6 / 10
Updated submission package will be online next week. Round 2.1 modifications • Choose field extension of prime degree. Original New F 2 8 F 2 7 F 2 48 F 2 47 F 2 64 F 2 61 F 2 80 F 2 79 • Aim for security level 1,3,5 instead of 2,4,5. ⇒ Smaller keys and signatures and better performance. 7 / 10
Round 2.1 modifications • Choose field extension of prime degree. Original New F 2 8 F 2 7 F 2 48 F 2 47 F 2 64 F 2 61 F 2 80 F 2 79 • Aim for security level 1,3,5 instead of 2,4,5. ⇒ Smaller keys and signatures and better performance. Updated submission package will be online next week. 7 / 10
Recommend
More recommend